Doxed: how Sabu was outed by former Anons long before his arrest

When LulzSec went public with its hacks last year, it faced widespread …

When the FBI arrested LulzSec leader Hector "Sabu" Monsegur, they did so in a hurry—hours before the arrest, Sabu was doxed, his identity posted to the Internet. With his name public, federal agents feared that he would start destroying evidence to protect himself, so they ended their covert surveillance and moved in, according to Fox News.

Efforts to name and shame the LulzSec crew during its 50-day rampage were common. Many of these doxings were inaccurate, a result of faulty inferences or deliberate attempts to mislead on the part of the LulzSec hackers.

But not all were wrong. In fact, the game of doxing Sabu was over before it had even started. He was correctly doxed more than two months before his arrest—in fact, more than a month before LulzSec had even started publicly operating.

This first doxing happened after a group of former Anonymous members, displeased at the moralizing direction that Anonymous had taken and at Sabu's leadership role, decided to take action. Speaking to Gawker almost one year ago, the dissident group calling itself Backtrace Security announced that it was going to post chat transcripts and information about the identies of Anonymous members.

Several days later, it followed through on its promise, releasing IRC logs called "consequences.pdf" (MD5 checksum: a4084efa1713447d295919b4670769da) and a file called"namshub.pdf" (MD5 checksum: 042a645a1bf4cdfb433887424455234e) that showed a spreadsheet of online names, real names, locations, and other evidence about Anonymous members. (The files have now been pulled, allegedly at the "request of the Federal Bureau of Investigation.")

While at least some of the information in namshub.pdf is incorrect—subsequent arrests have established the real identities of Topiary and Kayla, and they don't match Backtrace's claims—one name stands out. Sabu is identified as "Hector Xavier Montsegur." This is slightly misspelled, but it's the right name nonetheless. The document also claimed, correctly, that Sabu lives on New York City's Lower East Side.

The PDFs garnered some attention at the time—they even resulted in Backtrace Security being doxed—but apparently not enough attention to force the FBI's hand.

Backtrace then decided to out Sabu again. Early in the evening of June 7, the day of Sabu's arrest, the Twitter account belonging to Backtrace Security wrote: "Hector Xavier Montsegur -aka Xavier de Leon - aka (Sabu)." The same misspelling, but the same correct name.

Doxings continued even after Sabu's arrest and eventual co-operation with the FBI. These subsequent attempts retained the hit and miss pattern of Backtrace's "namshub" document. Sabu was variously claimed to be Hector Monsegur, Hector Montsegur, and, "Hugo Carvalho."

The bad information in the doxings had many convinced, however. After Jake "Topiary" Davis was arrested in the UK, some outlets even claimed that the police had got it wrong and that the person arrested couldn't be Topiary, because the dox (from Backtrace and others) fingered him as a Swede.

As for how Sabu was identified? Fox reports that the FBI depended on a mistake by Sabu: he accidentally joined an Anonymous IRC server from his own IP address rather than connecting via anonymizing service Tor. Backtrace might have similarly depended on this mistake.

But some of the doxers went a different route. Sabu occasionally mentioned ownership of a domain called prvt.org in his chats, including those in Backtrace's "consequences" document. Every domain registration is associated with corresponding information in the WHOIS database. This information is supposed to include the name and address of the domain's owner.

Often this information is incorrect (most domain registrars do nothing to validate it) or anonymized (many firms offer "proxy" domain registration, so the WHOIS database contains the details of the proxy registrar, rather than the person using the domain). Monsegur appeared to use one of these anonymizing services, Go Daddy subsidiary Domains By Proxy, for registering the prvt.org domain.

The registration for the domain was due to expire on June 25, 2011, requiring Monsegur to renew it. But for some reason—error on Monsegur's part perhaps, or screw-up by the registrar—the renewal was processed not by Domains By Proxy but by its parent, Go Daddy. Unlike Domains By Proxy, Go Daddy uses real information when it updates the WHOIS database, so on 24th June (the day before it was due to expire), Monsegur's name, address, and telephone number were all publicly attached to his domain name.

Sabu's full name and address in the public WHOIS database. Whoops.

Monsegur quickly remedied the mistake, changing the WHOIS registration to use various other identities—first to that of Adrian Lamo (who reported Bradley Manning to authorities) and then to "Rafael Lima" and subsequently to "Christian Biermann". This attempt to mislead those relying on the WHOIS information successfully misled some would-be doxers. But not all: by August there were extensivedossiers on Sabu's true identity.

Ultimately, the doxers and Backtrace Security did more than just name Sabu; they also fingered him as co-operating with the FBI. Whether by luck or judgement, Sabu detractors regularlyaccused him of working for law enforcement. Turns out they were right about that, too.

A chain is only as strong as its weakest link, and Sabu was apparently the weak link. He stupidly forgot to cover his own tracks, and other people stupidly trusted someone they didn't know to not only be smart enough to cover their own tracks but to not turn into an FBI informant when they get caught.

I would have thought the whole point would have been to stay anonymous, ESPECIALLY to anonymous.

It seems like every time you hear about hacker rings being broken (and I have heard about a few at various security conferences) it is invariably the first one caught that can't wait to spills the beans to soften the sentence.

I would have thought the whole point would have been to stay anonymous, ESPECIALLY to anonymous.

It seems like every time you hear about hacker rings being broken (and I have heard about a few at various security conferences) it is invariably the first one caught that can't wait to spills the beans to soften the sentence.

But of course YOU would stay schtum and take an extra few years of molestation in the showers right?

It is because Force is ill regulated, that revolutions prove fail-tires. Therefore it is that so often insurrections, coming from those high mountains that domineer over the moral horizon, Justice, Wisdom, Reason, Right, built of the purest snow of the ideal after a long fall from rock to rock, after having reflected the sky in their transparency, and been swollen by a hundred affluents, in the majestic path of triumph, suddenly lose themselves in quagmires, like a California river in the sands.

It is because Force is ill regulated, that revolutions prove fail-tires. Therefore it is that so often insurrections, coming from those high mountains that domineer over the moral horizon, Justice, Wisdom, Reason, Right, built of the purest snow of the ideal after a long fall from rock to rock, after having reflected the sky in their transparency, and been swollen by a hundred affluents, in the majestic path of triumph, suddenly lose themselves in quagmires, like a California river in the sands.

This is some wonderful word salad right here.

I love that GoDaddy fucked him. Don't use a shitty cheap ass service for your DNS people!! Oh and 7 proxies... lulz

Consider the victims of this group over nearly year. What are those victims thinking knowing that the FBI was behind those attacks. They controlled the leader of the group, hence the FBI not only ran those attacks they initiated them.If the FBI considers these crimes so bad, deserving apparently 100 year or more sentences, how could they have sanely allowed them to occur for months and months at their behest and under their control.So class action law suit against the FBI for millions of dollars of damages for the crimes they arranged to be committed.The FBI attacking the internet as 'Anonymous' I would have to think a lot of people associated with 'Anonymous' would have to laugh at how they got a government to do their dirty work for them and catching all of five people in the process, all of whom can mount serious entrapment defences as the leader, the person in charge, the one recruiting others and instigating crimes as an agent for the FBI (A person who acts on behalf of another, in particular.).The FBI agents who wished to remain 'Anonymous' (seriously who could make this stuff up), were laughing it up at their success over 'Anonymous', reality 'Anonymous' is laughing at the government for attacking itself.

Consider the victims of this group over nearly year. What are those victims thinking knowing that the FBI was behind those attacks. They controlled the leader of the group, hence the FBI not only ran those attacks they initiated them.If the FBI considers these crimes so bad, deserving apparently 100 year or more sentences, how could they have sanely allowed them to occur for months and months at their behest and under their control.So class action law suit against the FBI for millions of dollars of damages for the crimes they arranged to be committed.The FBI attacking the internet as 'Anonymous' I would have to think a lot of people associated with 'Anonymous' would have to laugh at how they got a government to do their dirty work for them and catching all of five people in the process, all of whom can mount serious entrapment defences as the leader, the person in charge, the one recruiting others and instigating crimes as an agent for the FBI (A person who acts on behalf of another, in particular.).The FBI agents who wished to remain 'Anonymous' (seriously who could make this stuff up), were laughing it up at their success over 'Anonymous', reality 'Anonymous' is laughing at the government for attacking itself.

It takes some convenient assumptions to reach such a juicy conclusion.

The problem with anonymous is that for as much as they like to claim their lofty ideals many of them are in it for the fame and recognition. So they really can't help themselves from talking. Its also why they roll over so quick when they get caught

just to add one more thing: It seems like the people they've arrested did not have a ton going for them so chances are a good portion of their social life revolved around anonymous. If you talk to people long enough things will slip. Like getting arrested, or protesting something in person, etc.

Consider the victims of this group over nearly year. What are those victims thinking knowing that the FBI was behind those attacks. They controlled the leader of the group, hence the FBI not only ran those attacks they initiated them.If the FBI considers these crimes so bad, deserving apparently 100 year or more sentences, how could they have sanely allowed them to occur for months and months at their behest and under their control.So class action law suit against the FBI for millions of dollars of damages for the crimes they arranged to be committed.The FBI attacking the internet as 'Anonymous' I would have to think a lot of people associated with 'Anonymous' would have to laugh at how they got a government to do their dirty work for them and catching all of five people in the process, all of whom can mount serious entrapment defences as the leader, the person in charge, the one recruiting others and instigating crimes as an agent for the FBI (A person who acts on behalf of another, in particular.).The FBI agents who wished to remain 'Anonymous' (seriously who could make this stuff up), were laughing it up at their success over 'Anonymous', reality 'Anonymous' is laughing at the government for attacking itself.

Well, its not like the FBI shipped guns to Mexican warlords or anything.

Consider the victims of this group over nearly year. What are those victims thinking knowing that the FBI was behind those attacks. They controlled the leader of the group, hence the FBI not only ran those attacks they initiated them.If the FBI considers these crimes so bad, deserving apparently 100 year or more sentences, how could they have sanely allowed them to occur for months and months at their behest and under their control.So class action law suit against the FBI for millions of dollars of damages for the crimes they arranged to be committed.The FBI attacking the internet as 'Anonymous' I would have to think a lot of people associated with 'Anonymous' would have to laugh at how they got a government to do their dirty work for them and catching all of five people in the process, all of whom can mount serious entrapment defences as the leader, the person in charge, the one recruiting others and instigating crimes as an agent for the FBI (A person who acts on behalf of another, in particular.).The FBI agents who wished to remain 'Anonymous' (seriously who could make this stuff up), were laughing it up at their success over 'Anonymous', reality 'Anonymous' is laughing at the government for attacking itself.

First off, at least the people they've arrested so far, commited the crimes and wanted him to get involved. Not entrapment. Second the FBI, state, and local police send people undercover all the time, many times allowing them to commit crimes themselves while building a case. So good luck with your class action lawsuit. Just an aside, what is with ARS and their class action law suits? Anytime a company does something they don't like 2 or 3 people start shouting for a class action lawsuit. The only people who make money off it is the lawyers. Best case you force the companies policy and other companies follow suit.

Why would anyone try to connect to somebody else's network? Wouldn't the signal be way too weak, and the delay time too long? I've used library networks from inside the library and they were fine. You go just outside on a warm summer day in order to get some sun, and the delay gets noticeable and untenable, let alone the quickly diminishing signal strength. I KNOW people claim that they used to drive around in cars and do that, but I just don't see it as being useful.

This is what directional antennas and mini amplifiers are for. There's a lot of really effective, really cheap gear you can use for exactly this type of thing. Saw tons of people with the "pringles can" antennas while I was in Djibouti, so they could get the free wifi from the MWR, as opposed to pay US$90/month for a 512Kb/s connection in the CLUs (that would randomly go down for days at a time, and you don't get any credit for it against the price).

Why would anyone try to connect to somebody else's network? Wouldn't the signal be way too weak, and the delay time too long? I've used library networks from inside the library and they were fine. You go just outside on a warm summer day in order to get some sun, and the delay gets noticeable and untenable, let alone the quickly diminishing signal strength. I KNOW people claim that they used to drive around in cars and do that, but I just don't see it as being useful.

This is what directional antennas and mini amplifiers are for. There's a lot of really effective, really cheap gear you can use for exactly this type of thing. Saw tons of people with the "pringles can" antennas while I was in Djibouti, so they could get the free wifi from the MWR, as opposed to pay US$90/month for a 512Kb/s connection in the CLUs (that would randomly go down for days at a time, and you don't get any credit for it against the price).

Pfft. Omnidirectional antenna on your car, do a bit of passive wardriving, scope the area for cameras of any kind and don't use an AP in an area that might see your care repeated times, pick 6 different targets in a 15 mile radius that are open and strong from your car. And bounce from AP to AP. And that's just me being paranoid. Oh and swap around MAC addresses from time to time. Hell if you want to be REALLY parinoid. Pick up a half dozen half height WIFI cards for you laptop off ebay and swap them off for the real thing when you are using your system with a hard drive that is removed from your system each time you are done "working". Or just buy a cheap thinkpad off e-bay.